phpBB • Creating Communities Worldwide

by **clkbj** » Tue Nov 21, 2006 6:54 pm

Can ANYONE help with this?

http://messageboard.clkbj.com (NSFW - Language)

After looking all over the internet I found where this is some hack team out of Turkey, but there is NO fix that I can find out there.

I have reinstalled and everything I can think of. It seems as though it is just a homepage defacement though as I can still get to this:

http://www.clkbj.com/messageboard/viewf ... df60731fe0

I am at a loss but am willing to let ANYONE look at this.

Much thanks in advance,
Chad~

by **Jim_UK** » Tue Nov 21, 2006 6:58 pm

What version of phpBB2 are you using?

Please file a report here http://www.phpbb.com/support/incidents/add_report.php
Now make a backup of your files and database plus if you have access to the server logs then a copy of that. In case asked for by the IIT.

Jim

by **clkbj** » Tue Nov 21, 2006 7:07 pm

Jim,
Thank you for your response.

I believe I am running phpBB 2.0.17, but I do not have access to my cPanel right now to tell you for sure.
Chad~

by **gansert** » Tue Nov 21, 2006 7:09 pm

They were nice hackers.

Everything is still there

http://messageboard.clkbj.com/memberlist.php

by **clkbj** » Tue Nov 21, 2006 7:11 pm

gansert wrote:They were nice hackers.

Everything is still there

http://messageboard.clkbj.com/memberlist.php

Yeah, they could have done allot worse to me.

Something else I have noticed (On top of the main page defacement that is), is I cannot log in.

Chad~

by **gansert** » Tue Nov 21, 2006 7:15 pm

I guess the hackers just changed some file (probably index.php )

You can easily replace that file again. But you must update first or will be hacked again

by **clkbj** » Tue Nov 21, 2006 7:20 pm

gansert wrote:I guess the hackers just changed some file (probably index.php )

You can easily replace that file again. But you must update first or will be hacked again

I have replaced that file. It comes right back. I am in the process of finding out what version I am running now....

Thanks,
Chad~

by **Brf** » Tue Nov 21, 2006 7:21 pm

This was added to overall_header.tpl (I removed their URL)

Code: Select all: <STYLE =text/css>BODY { SCROLLBAR-FACE-COLOR: #000000; SCROLLBAR-HIGHLIGHT-COLOR: #000000; SCROLLBAR-SHADOW-COLOR: darkgray; SCROLLBAR-3DLIGHT-COLOR: #eeeeee; SCROLLBAR-ARROW-COLOR: #000000; SCROLLBAR-TRACK-COLOR: gray; SCROLLBAR-DARKSHADOW-COLOR: #000000 } A:link { COLOR: darkblue; TEXT-DECORATION: none } A:visited { COLOR: #000088; TEXT-DECORATION: none } A:hover { COLOR: #000000 } body, td, th { color: #000000; } table, p, td, tr { visibility:hidden; } body { background-color: #000000; background-image: url('http://XXXXXXXXXXXXXXXXX/image0000029.JPG'); } </STYLE>

I am guessing that that is in one of your Config or language strings

by **Jim_UK** » Tue Nov 21, 2006 7:22 pm

Have you tried to access your Admin control panel
http://www.clkbj.com/messageboard/admin/index.php

The hacker will have inserted somescript into a description field.
If you get access try the Site description, Forum descriptions, Category descriptions.

Jim

by **Brf** » Tue Nov 21, 2006 7:27 pm

I think it is the description of the first forum.

by **clkbj** » Tue Nov 21, 2006 7:28 pm

Jim_UK wrote:Have you tried to access your Admin control panel
http://www.clkbj.com/messageboard/admin/index.php

The hacker will have inserted somescript into a description field.
If you get access try the Site description, Forum descriptions, Category descriptions.

Jim

If I try to go there, it asks me to log in and it will not take my log on credentials (and I know I am doing it right)
C~

by **Jim_UK** » Tue Nov 21, 2006 7:34 pm

This is not a problem.
Assuming that you have done as I asked in my first post then you can either access the tables with phpmyadmin and remove it from those fields or install the Starfoxtj Admin Toolkit that has a built in scanner to find and remove the code that has been inserted into those fields.

This has happened because you did not keep up to date.

Jim

by **clkbj** » Tue Nov 21, 2006 7:54 pm

Jim_UK wrote:This is not a problem.
Assuming that you have done as I asked in my first post then you can either access the tables with phpmyadmin and remove it from those fields or install the Starfoxtj Admin Toolkit that has a built in scanner to find and remove the code that has been inserted into those fields.

This has happened because you did not keep up to date.

Jim

Jim,
You are awesome! That fixed my problem.

Now I need to update before it happens again!

Now, when I try to log in with the admin username: clkbj and my pass it will not log in.
Any ideas?

Thanks,
Chad~

P.S. Thanks to everyone else who looked at this too!

by **Brf** » Tue Nov 21, 2006 7:59 pm

You still have all that junk in the forum description, although it does not appear to be executing anymore.

I wonder if you would have any luck resetting your admin user with that toolkit...

by **clkbj** » Tue Nov 21, 2006 8:06 pm

Brf wrote:You still have all that junk in the forum description, although it does not appear to be executing anymore.

I wonder if you would have any luck resetting your admin user with that toolkit...

Yeah, I have tried to reset my pw via that toolkit. It takes, but I can still not log in.

Once I get logged in, I will be able to remove all that junk form the forum description.

Thanks,
Chad~

phpBB • Creating Communities Worldwide

Features

History

Press

The Team

Contact Us

Advertising

Latest Version

Upgrade Packages

Language Packs

Modifications

Styles

Modifications

Modification database

Development Wiki

Styles

Styles database

Styles Demo

Documentation

Knowledge Base

Flash Tutorials

Support Forums

IRC Support

International Support

Get involved

Bug Tracker

Security Tracker

phpBB Code Forge

Development Wiki

Area51

Support Forums

Modification Forums

Styles Forums

phpBB Discussion

Events

General Discussion

I have been hacked!

I have been hacked!

Who is online

Advertisement